f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65

Analysis

max time kernel
14s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Size

1.9MB
MD5

64260d17d575ecd7e8ec3602ab9ce110
SHA1

9112efff7e05366bb0ce4bdd24ed4cd715375518
SHA256

f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65
SHA512

e32bd733cf5d46b1cda4ed6cc0a712aae0243ca8b3234b382e0bc67d37c11de6d8fb0b83f8514150ae2352c82fb30dd118a1b99dce44675c307bfe5cf10e233b
SSDEEP

49152:V/VJ66REO7hyLUfef975cnm1dm9glsAGJt48cWFcoWA1bp:pVgOloUc97H7mysH4Wj1d

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\K:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\Q:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\X:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\B:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\G:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\N:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\P:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\R:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\S:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\W:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\E:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\I:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\J:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\M:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\T:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\U:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\V:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\A:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\L:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\O:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\Y:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File opened (read-only)	\??\Z:	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\porn sperm catfight glans upskirt .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\american cumshot lesbian masturbation (Jade).rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black cum beast big YEâPSè& .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\hardcore big black hairunshaved .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish porn hardcore [milf] titts .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\hardcore [bangbus] hole (Anniston,Samantha).mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\italian fetish horse sleeping feet pregnant (Karin).mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\IME\SHARED\hardcore [bangbus] gorgeoushorny (Britney,Sylvia).zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lingerie big glans blondie .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian beastiality gay [free] hotel .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese nude bukkake hidden feet mistress .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\System32\DriverStore\Temp\russian action horse public (Liz).mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\german sperm hot (!) high heels .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\spanish lesbian girls cock ¤ç (Jade).rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\Common Files\microsoft shared\brasilian gang bang beast uncut glans YEâPSè& (Sylvia).mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\Microsoft Office\root\Templates\italian handjob blowjob [milf] .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian nude lesbian catfight (Janette).rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\brasilian horse sperm public feet .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\swedish nude lesbian [bangbus] hole wifey .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\russian cum gay lesbian cock stockings (Karin).mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files (x86)\Google\Temp\japanese fetish gay several models feet .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files (x86)\Google\Update\Download\lesbian [milf] titts 40+ .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\bukkake several models cock blondie (Sarah).zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\american cumshot bukkake hot (!) .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\fucking [bangbus] black hairunshaved .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\horse several models .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\chinese lingerie masturbation penetration .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\indian porn horse licking granny .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore public .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\african bukkake [bangbus] mature .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\beast masturbation wifey .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\lingerie licking .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\beast lesbian latex (Ashley,Tatjana).avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\german sperm [free] .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\french gay licking latex .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\beast big .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\canadian sperm licking feet castration .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\horse big (Sarah).zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\cumshot sperm licking glans .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\british beast masturbation titts .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\black cum beast hot (!) balls (Kathrin,Samantha).mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\sperm uncut .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\german horse full movie cock penetration (Curtney).rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\beast hidden wifey .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\brasilian handjob trambling big (Tatjana).mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\horse [free] 40+ (Sonja,Karin).mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\assembly\temp\russian porn xxx [free] ash .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\italian gang bang horse several models castration .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\american fetish blowjob sleeping (Melissa).avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\brasilian kicking gay [milf] hole .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\nude lingerie full movie upskirt .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\danish nude bukkake catfight glans circumcision .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\fucking full movie .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\african xxx lesbian glans .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\japanese animal gay several models glans .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\InputMethod\SHARED\sperm licking glans 50+ (Tatjana).rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\italian beastiality lesbian lesbian (Melissa).zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\bukkake [free] titts bedroom .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\swedish fetish bukkake several models hotel (Ashley,Karin).mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\black action gay catfight ash (Britney,Curtney).mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\indian action gay [free] .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\animal bukkake uncut cock .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\japanese animal horse licking (Liz).avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\british xxx uncut cock .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\assembly\tmp\japanese kicking trambling hot (!) .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\fucking public .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\fucking several models titts 50+ .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\german xxx [bangbus] cock .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\british hardcore big castration .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\fetish sperm uncut pregnant .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\gang bang beast [milf] Ôï (Jenna,Liz).mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\black nude hardcore masturbation sweet .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\PLA\Templates\tyrkish action trambling hot (!) hole .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\fucking full movie feet 40+ .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\american cum trambling hidden (Tatjana).zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\russian horse horse licking YEâPSè& .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\tyrkish horse gay [bangbus] glans .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\tyrkish kicking hardcore full movie Ôï (Sonja,Janette).rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\danish gang bang fucking licking feet balls .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\french sperm masturbation wifey .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\CbsTemp\american beastiality horse hot (!) upskirt .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\indian porn horse public ash .mpg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\british horse masturbation titts .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\asian horse [bangbus] hole boots (Samantha).zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\french hardcore licking bedroom .zip.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\beastiality bukkake girls (Sarah).rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob hidden titts (Sonja,Tatjana).avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\Downloaded Program Files\indian nude horse [milf] .rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\bukkake [milf] titts mistress .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\brasilian cum trambling hot (!) ¤ç .mpeg.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\horse voyeur wifey (Jenna,Melissa).avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\japanese cumshot trambling girls glans .avi.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\french bukkake lesbian (Sylvia).rar.exe	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1940	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1940	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1372	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1372	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3856	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3856	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
320	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
320	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
4976	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
4976	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2040	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2040	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
4676	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
4676	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1940	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1940	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2200	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2200	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1532	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1532	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3492	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3492	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1372	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1372	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3296	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
3296	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 1740	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	84
PID 3112 wrote to memory of 1740	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	84
PID 3112 wrote to memory of 1740	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	84
PID 1740 wrote to memory of 1864	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	87
PID 1740 wrote to memory of 1864	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	87
PID 1740 wrote to memory of 1864	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	87
PID 3112 wrote to memory of 2332	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	88
PID 3112 wrote to memory of 2332	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	88
PID 3112 wrote to memory of 2332	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	88
PID 1740 wrote to memory of 3116	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	90
PID 1740 wrote to memory of 3116	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	90
PID 1740 wrote to memory of 3116	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	90
PID 1864 wrote to memory of 1940	1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	91
PID 1864 wrote to memory of 1940	1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	91
PID 1864 wrote to memory of 1940	1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	91
PID 3112 wrote to memory of 1372	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	92
PID 3112 wrote to memory of 1372	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	92
PID 3112 wrote to memory of 1372	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	92
PID 2332 wrote to memory of 1308	2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	93
PID 2332 wrote to memory of 1308	2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	93
PID 2332 wrote to memory of 1308	2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	93
PID 1740 wrote to memory of 3856	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	95
PID 1740 wrote to memory of 3856	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	95
PID 1740 wrote to memory of 3856	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	95
PID 3116 wrote to memory of 320	3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	96
PID 3116 wrote to memory of 320	3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	96
PID 3116 wrote to memory of 320	3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	96
PID 1864 wrote to memory of 4976	1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	98
PID 1864 wrote to memory of 4976	1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	98
PID 1864 wrote to memory of 4976	1864	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	98
PID 3112 wrote to memory of 2040	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	99
PID 3112 wrote to memory of 2040	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	99
PID 3112 wrote to memory of 2040	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	99
PID 1940 wrote to memory of 4676	1940	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	100
PID 1940 wrote to memory of 4676	1940	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	100
PID 1940 wrote to memory of 4676	1940	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	100
PID 2332 wrote to memory of 2200	2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	101
PID 2332 wrote to memory of 2200	2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	101
PID 2332 wrote to memory of 2200	2332	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	101
PID 1372 wrote to memory of 1532	1372	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	102
PID 1372 wrote to memory of 1532	1372	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	102
PID 1372 wrote to memory of 1532	1372	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	102
PID 1308 wrote to memory of 3492	1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	103
PID 1308 wrote to memory of 3492	1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	103
PID 1308 wrote to memory of 3492	1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	103
PID 1740 wrote to memory of 3296	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	104
PID 1740 wrote to memory of 3296	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	104
PID 1740 wrote to memory of 3296	1740	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	104
PID 3116 wrote to memory of 1828	3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	105
PID 3116 wrote to memory of 1828	3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	105
PID 3116 wrote to memory of 1828	3116	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	105
PID 320 wrote to memory of 3060	320	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	106
PID 320 wrote to memory of 3060	320	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	106
PID 320 wrote to memory of 3060	320	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	106
PID 3856 wrote to memory of 4260	3856	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	107
PID 3856 wrote to memory of 4260	3856	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	107
PID 3856 wrote to memory of 4260	3856	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	107
PID 3112 wrote to memory of 2672	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	108
PID 3112 wrote to memory of 2672	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	108
PID 3112 wrote to memory of 2672	3112	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	108
PID 1308 wrote to memory of 4664	1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	109
PID 1308 wrote to memory of 4664	1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	109
PID 1308 wrote to memory of 4664	1308	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	109
PID 1940 wrote to memory of 5108	1940	f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe	110

C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
"C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:6572
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        8⤵
        
        PID:11884
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:8760
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:12384
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:10336
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:7976
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:11244
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:8300
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:11552
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:12424
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:9220
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:13060
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:5396
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:7432
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:10452
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6616
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:12260
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8660
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:12416
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:752
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:6500
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:11796
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:8632
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:12224
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:5868
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:9852
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:14004
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:7488
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:10612
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:3416
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:5908
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:9844
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:14044
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:7788
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:11128
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:5564
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8604
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:12268
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:6892
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:14020
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:9188
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:13068
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:6592
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        8⤵
        
        PID:11892
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:12400
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:10064
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:14052
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:7992
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:11120
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:2576
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:11624
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:8548
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:12136
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:5752
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:10024
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:14120
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:7472
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:10496
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:928
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:6816
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:856
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:9104
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:13012
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6180
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:11584
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8120
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:11304
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:1468
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6256
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:10736
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8084
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:11424
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:5732
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:9568
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:14340
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:7252
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:14136
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:10056
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:14128
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:2448
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:12244
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:8936
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:12636
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6100
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:10032
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:14144
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:7752
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:10836
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6248
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:11616
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8452
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:11696
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:5640
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8596
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:12432
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:7140
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:13580
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:9488
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:13756
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6524
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:12252
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8896
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:12212
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:6156
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:11592
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:11260
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:244
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:6348
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:11608
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:8112
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:11288
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:9768
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:14012
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:7228
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:14760
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:9920
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:14060
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3492
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:2732
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        7⤵
        
        PID:11960
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:8736
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:12392
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:5860
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:10048
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:14076
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:7440
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:10604
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:4664
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:5372
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:7604
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:10676
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6696
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:13320
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:9048
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:12912
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:5316
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8292
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:11536
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:6608
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:13088
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:9040
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:13052
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6484
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:11788
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8644
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:12408
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:6064
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:10356
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:14812
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:7716
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:10764
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:5820
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:9880
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:14092
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:7480
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:10468
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:5484
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:8564
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:12116
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:6672
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:13292
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:9120
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:13076
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:540
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:6600
      - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        6⤵
        
        PID:11984
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:8944
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:12644
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:6092
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:9888
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:14068
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:7744
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:10840
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:6132
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:10112
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:14488
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:7724
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:11024
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:5496
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:8588
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:12124
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:6808
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:13308
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:9112
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:13300
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:6512
    - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
        5⤵
        
        PID:11860
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:8744
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:12604
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:6044
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:10728
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:7760
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:10852
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:5364
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:7496
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:10528
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:6656
  - - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
      "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
      4⤵
      PID:13096
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:8924
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:12592
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  PID:5300
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:7512
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:10476
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  PID:6584
- - C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
    "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
    3⤵
    PID:11976
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  PID:9020
- C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe
  "C:\Users\Admin\AppData\Local\Temp\f06ffbdef1e9a2dbf895d6537ee7f9570717ed0f6897ba1ce1da42da527b2e65N.exe"
  2⤵
  PID:12888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian nude lesbian catfight (Janette).rar.exe

Filesize
1.0MB

MD5
b09d3840381d882d85eda7b0a49271fc

SHA1
f39e548b9b3760299a084c80feb14a1547734472

SHA256
2408317a0cc78992b41dfd7706b416516eff1666daf55ebdc5e5910d6086c741

SHA512
76c15a01d2d2dca995ba5bcad3f32f06adfa77d4fb3f8eec9c19e314abac86718e615c52569bf397b0c364f6504f0926be260024cebe411376350a6ce6aa5a33

Download Submit